[Snort-users] Question about stream4

Hendo hendo at ...3663...
Fri Nov 19 06:07:26 EST 2004

My company has a mainframe and it is always terminating connections in a
way that trips snorts stream4 preprocessor.

It always either sets the PSH Flag with RST or even the ACK PSH RST.

This causes a stream4 stealth activity alert.

I want to keep monitoring the mainframe, so a filter is not suitable.

I wish stream4 had some configurability to ignore that flag combo from
that particular address.

Ideas welcome.



More information about the Snort-users mailing list